Independent Review of the Ministry of Social Development’s Information Systems Security

17 October 2012.

MEDIA RELEASE:

Ministry of Social Development Chief Executive Brendan Boyle has today released the Terms of Reference for an investigation into a security breach involving Work and Income Kiosks.

“On Monday I announced that I would commission independent experts to review security around the Kiosks and to also conduct a wider security review of the Ministry’s IT systems.

“Deloitte has now received the Terms of Reference around this, and work has already begun.

“The security breach is being reviewed separately to determine if any individual’s privacy has been interfered with. We will consult with the Privacy Commissioner.

“I understand the public has many questions around how this breach happened and want assurances that we have the best possible systems in place to protect people’s private details.

“We take seriously our responsibility to protect the privacy of clients. It’s unacceptable that this breach happened and I expect this investigation to get to the bottom of how it occurred.

“I will be in a better position to comment further on this issue once I receive the report from Deloitte”.

Terms of Reference

The review will be carried out by Deloitte and will be led by Murray Jack, Chairman, Deloitte (the Independent Reviewer).

The Chief Executive of the Ministry of Social Development (the Chief Executive) has commissioned an independent investigation into the security breach that occurred through the Ministry’s self-service kiosks at two Work and Income service centres, which compromised privacy.

A Steering Group, with external stakeholders, including the Office of the Privacy Commissioner and Office of the Government Chief Information Officer, has been set up to provide independent oversight of the review. This review will take into account the recently announced review of publicly accessible systems by the Government Chief Information Officer.

Objectives of the review

The objectives of the independent review are to address the questions raised about the security of the Work and Income self-service kiosks focusing on what happened, why it happened, the lessons learned, and the actions the Ministry needs to take to address any security issues raised.

The review will also assess the Ministry’s wider information systems security including the policies, governance and culture, and will make recommendations about the actions needed to be taken to restore and increase public confidence in the Ministry’s information systems security.

The review will happen in two phases.

Phase One – Matters in scope

The first part of the review will investigate the circumstances and causes of the kiosk security breach which compromised privacy, focusing on

The establishment and operation of the self-service kiosks in Work and Income service centres, including:

the work done to ensure appropriate information security was put in place at the time that the kiosk infrastructure and services were designed and built;

the independent testing done to ensure the security was operating as designed;

and the Ministry’s response to any security issues identified during the testing.

Information provided to the Ministry by third parties raising security concerns about the kiosks and the appropriateness and effectiveness of the Ministry’s response to these concerns

The appropriateness and effectiveness of the Ministry’s response to the security breach.

Phase Two – Matters in scope

The second part of the review will assess the appropriateness and effectiveness of the Ministry’s wider information systems security, particularly publicly accessible systems, and including the policies, governance, capability and culture.

The review will identify any lessons learned and make recommendations to the Chief Executive about any changes and improvements needed to the Ministry’s information systems security.

Timeframes and reporting

Phase One - The objective is that Phase One of the review will be completed within two weeks.

Phase Two - The timeframe for the completion of Phase Two of the review will be determined following completion of Phase One.

The reports on both phases of the review will be made publicly available.

Governance

The role of the Steering Group is to provide independent oversight of the review and advice to the Chief Executive.

The Steering Group will consist of external stakeholders. The members are: